Password Managers are the Hot Targets 

Lastpass reported a security breach a month ago, which is the 8th security incident in the last 11 years. This incident was followed by a recent disclosure by a Google researcher. Many popular password managers like Dashlane, Bitwarden, and Safari can be phished.

There are many lessons that we all need to learn from these recurring incidents. This post is to uncover few points that we have seen have not been discussed by the info-sec community and the industry.

The Catch-22 – Phish or no Phish?

LastPass warned its users of an increased likelihood of Phishing attacks, Credential Stuffing, or other brute force attacks against online accounts associated with their LastPass vault.

Password Managers getting phished is an alarming situation

This statement goes against what all the password managers like LastPass claims – “use of password manager protects users from phishing attacks“.

In recent times there have been more incidents where password managers have been proved vulnerable to phishing attacks. You can find more details in this article Popular password managers auto-filled credentials on untrusted websites 

The Impact

In their blog post, Lastpass reported that customer’s personal information like email, phone number, billing address, IP address have been compromised. That is not all, what LastPass has not talked about is the additional information they collect from their users using their mobile app. 

The screenshots below show the permissions that Lastpass app takes on a user’s phone.

Permission take by LastPass app on an Android device

These permissions enable the application provider like LastPass (other password managers take similar types of permission on user’s device) to collect more information about the user than probably needed. 

User Information collected by LastPass app

In case of a breach, like what happened with LastPass, the severity of the incident and privacy impatc will be more if any additional information collected from the user’s phone is also leaked.

The Passwords

Furthermore, LastPass has reported that customer’s vault containing clear text data, such as website url, and encrypted data of username and password were also obtained by the threat actors. 

Lastpass emphasised on the use of master key, and how a threat actor can not decrypt the password vault even if they have the encrypted data, as the master key, which is a master password set by the user and is not stored on lastpass network. 

While 1Password, a rival firm of Lastpass, claims through their blog that passwords of LastPass can be cracked in $100. They also talk about their superior method of  using secret key and Password Authenticated Key Agreement systems, which makes 1Password’s systems next to impossible to crack. 

With the device specific keys mentioned by 1Password, we feel syncing of the passwords across multiple devices becomes a risky affair. Since passwords need to be decrypted on another device and it needs the user chosen master password as well as the secret key from the earlier device. This problem cannot be solved without exposing the secret key or the user’s passwords (encrypted just with the user chosen master password), in transit. 

Conclusion

After a series of events involving Password Management products, enterprise must seriously think about how safe their user’s data and passwords really are. 

Not to forget, server doesn’t care if the password is coming from a password vault or from an adversary, the server will authenticate as long as it can match the string. So no matter, how and where you store passwords, as long as there as passwords, Enterprises are always at risk.

For a better security, Enterprise must plan to remove passwords from their applications, servers and #GoPasswordless

Dropbox Employees Phished, GitHub Repositories Exposed

Dropbox disclosed a security breach on October 14th 2022, resulted due to Phishing Emails. The email was impersonating a third-party service used by its employees. The attack resulted in credential leaks of employees, which enabled the threat actors access to their Github accounts. The hackers stole the content from 130 repositories, consisting information about Dropbox employees, users, and vendors.

Phishing email impersonating CircleCI

The Incident

Phishing campaign initiated by adversary targeted multiple Dropbox Employees. The emails were crafted to mimic communication from CircleCI , which is a Continuous Integration and Delivery Platform. The phishing link redirected users to a landing page where they were asked to enter their GitHub username and password.

CircleCI login options
CICircle Login page

On a fake GitHub page, the employees were requested their Hardware Authentication Keys to provide an OTP for 2 step authentication. Adversaries used these credentials to access some less secure repositories of Dropbox, containing some API keys, and customised tools.

CircleCI login page
Github Login Page

The adversaries are not traced yet, as they used VPNs to hide their tracks.

The incident details shared by Dropbox
The incident details shared by Dropbox

The Impact

Dropbox breach is a direct result of phishing, which was not contained by 2FA or MFA solutions the firm normally has in place.

Furthermore, the laws of the United States allow authorities to have access to user data under Patriot Act and such, hence the firm can also store user information. In the past, there have been multiple instances at Dropbox where user data was compromised. However, in this particular case, the company is claiming that no core app code was compromised. For more details, visit here.

Previous Incidents

Dropbox is not the sole victim of brand impersonation phishing attacks. Earlier, other organisations such as Sony Pictures, BenefitMall, and JP Morgan Chase have fallen victim to the same. Furthermore US Power grid and John Podesta are also highly notable examples of Phishing Attacks.

IBM’s 2021 Cost of a Data Breach Report found phishing to be the second most expensive attack vector to contend with, costing organisations an average of $4.65 million. Phishing using brand impersonation is becoming quite popular as well. LinkedIn is used for this purpose 52% of the time, while DHL, Google, Microsoft and FedEx also hold a considerable proportion of it. You can find more about the stats here.

Mitigation

Millions of phishing emails are sent daily. Many spam mails slips through spam filters and when that happens, you must be able to rely on your employees to stay vigilant and act responsibly. That is the reason why many companies opt for Employee Awareness Training Plans.

When training campaigns cannot keep pace with the new trends, and URL-checking anti-phishing measures is proving to be far more intrusive. The best option right now is to switch to Password-less Systems with Zero Knowledge Encryption.

With PureAuth Password-less authentication, you can effectively mitigate the risk of having your password compromised by phishing and a number of other methods. 

Feel free to explore further blogs by us related to Phishing and Github . Stay safe. #Gopasswordless

Ever increasing Office365 Credential Phishing Campaigns

In the advent of widespread electronic communication we relied on a password for verifying the identity of a person. As it turns out, passwords are not secure enough to trust most information with. Two Factor Authentication to the rescue! right? Well, it’s not so easy.

As systems have become secure, the attackers have shifted their focus on capitalizing on the weakest link – Humans. While 2FA has somewhat solved the problem of people using ‘password’ or ‘1234’ as their passwords, it cannot fix the inherent problem with humans. We make decisions based on our knowledge which is flawed most of times. Attackers take advantage of this to carry out social engineering attacks such as phishing.

Risk of Phishing attacks

Verizon Data Breach Investigation Report 2019 observed Phishing was used in 32% of confirmed breaches, and also 78% of cyber-espionage cases. Additionally, VDBIR also states that 29% breaches involved the use of stolen credentials which again is commonly accomplished through phishing attacks.

Due to the large number of successful phishing attacks, VDBIR mentions it as a #1 Threat Action

Phishing attacks on Office 365

As such, there have been multiple attacks against Microsoft’s Office 365 platform which hosts productivity apps and documents, very important to businesses.

This phishing campaign uses Google’s Ads services to get around secure email gateways. Here you can see how blindly trusting anyone, even Google, can backfire.

Zoom Phishing mail
(source: Abnormal Security)

Office 365 Phishing page
(source: Abnormal Security)

With the popularity of Zoom skyrocketing, the attackers have been bandwagoning onto the new attack vector to target Office 365 logins. The trick they used is to rush the users by making them believe that their Zoom account might get suspended. Oh! The horror of not attending a meeting!

They have also used fake Teams alert, Relief payments, VPN configs to try to get your Office logins. Looks like they desperately want your office 365 credentials.

All the more reason to protect yourself against such attacks.

Effective Mitigation for Phishing: Go Passwordless

When all the training campaigns are failing & URL checking anti phishing measures are proving to be far more intrusive, you can effectively mitigate the risk of Phishing by going Passwordless. 

With PureAuth passwordless authentication, you can effectively mitigate the risk of having your password stolen by phishing and a number of other methods. 

Try out PureAUTH, which offers passwordless secure access to not just Office 365 but many other services like AWS, GCP, G-Suite, Microsoft Azure and others.